๐ค Ghostwritten by Claude Opus 4.6 ยท Fact-checked & edited by GPT 5.4 ยท Curated by Tom Hundley
If you have ever committed an API key, password, or token to GitHub, assume it may still be valid until you revoke it. GitGuardian's State of Secrets Sprawl 2026 report says 64% of secrets leaked on GitHub in 2022 were still active in 2026. That is the real risk: not just new leaks, but old credentials quietly sitting in commit history, still able to open the door.
For most developers, especially newer AI-assisted builders, the urgent fix is simple: scan your repositories, revoke any exposed secrets, and move credentials out of source code. Deleting a file is not enough. Removing a line in a later commit is not enough. If the secret was committed, treat it as compromised.
This article focuses on the part many security writeups skip: the backlog of old secrets you forgot about.
TL;DR: Most API keys do not expire automatically, so a leaked key can remain usable for years unless you revoke or rotate it.
Think of a leaked API key like a lost house key. It does not stop working because time passed. It stops working only when the lock changes.
That is how many credentials behave. When you create a key for Stripe, OpenAI, Supabase, or another service, it often remains valid until you explicitly revoke it. Some platforms now support expiration policies or scoped, short-lived tokens, but indefinite validity is still common enough to be a real problem.
Here is why old leaks remain dangerous:
The result is a long tail of still-working credentials spread across old repositories and forgotten projects.
TL;DR: AI coding tools can make secret leaks more likely when developers paste real credentials into prompts or accept generated code without checking how secrets are handled.
GitGuardian's 2026 report says AI-related secret incidents increased sharply, including an 81% surge in AI-service-related secrets. The broader lesson is not that AI tools are uniquely reckless. It is that they speed up coding, and speed often reduces review.
If you ask an assistant to "connect to my database" or "set up Stripe payments," the generated code may include placeholders, environment-variable patterns, or, in some cases, real credentials that you pasted into the chat or local context. That is especially risky for newer developers who may not recognize a live key in code.
For example:
const apiKey = process.env.OPENAI_API_KEY;That pattern is usually fine.
This is not:
const apiKey = "sk-live-or-project-key-here";The danger is not just the hardcoded string. It is the workflow around it: generate code, test quickly, commit everything, and move on.
I covered how AI coding assistants leak your API keys in more detail elsewhere. The short version is this: AI can accelerate good security habits or bad ones. If you do not review generated code for secrets, it will amplify mistakes.
| Scenario | Leak Risk | Why |
|---|---|---|
| AI-generated code includes a real key | High | You may commit it without noticing |
You store keys in .env but forget to ignore the file |
High | The file can be committed with the rest of the project |
| You use environment variables and keep secret files out of Git | Lower | Secrets stay out of source files and commit history |
| You also rotate or revoke keys regularly | Lowest | Old leaks become less useful over time |
TL;DR: Scan repository history, revoke every exposed credential you find, and move active secrets into environment-based storage.
Start with GitHub's secret scanning features if they are available for your account or organization. GitHub offers secret scanning across several plan types, but exact coverage varies by repository type and provider pattern, so check your repository security settings rather than assuming it is enabled everywhere.
For local scanning, Gitleaks and TruffleHog are widely used open-source tools. Both can inspect Git history, not just the current working tree.
If the terminal feels intimidating, use your AI assistant to walk you through it. For example:
"I need to scan my project for accidentally committed secrets like API keys, passwords, and tokens. Can you help me install and run Gitleaks on my project folder? Give me the exact commands to run step by step, and explain what the output means. I'm on [Mac/Windows/Linux]."
For every real secret you find:
If a secret was exposed publicly, do not assume it is safe because you saw no obvious abuse. Treat it as compromised.
A .env file is one common way to keep secrets out of application code during local development. For example:
STRIPE_KEY=YOUR_NEW_KEY_HERE
OPENAI_KEY=YOUR_NEW_KEY_HERE
DATABASE_URL=YOUR_DATABASE_CONNECTION_STRINGThen make sure Git ignores that file:
.envThat said, .env files are a development convenience, not a complete secrets-management strategy. In production, use your hosting platform's environment-variable system or a dedicated secrets manager.
If you want help cleaning up an existing project, try this prompt:
"Help me move all hardcoded API keys and secrets in my project into environment variables. Then make sure
.envis in my.gitignorefile so it does not get committed to Git. Show me how to update my code to read from environment variables instead of hardcoded strings."
TL;DR: Prevention is a workflow, not a single tool: keep secrets out of code, scan continuously, and prefer short-lived or scoped credentials where possible.
Once you clean up old leaks, put guardrails in place so you do not repeat the problem.
A practical baseline looks like this:
.env and similar secret files to .gitignore.If you are building quickly with AI tools, this matters even more. Fast iteration is useful, but security failures also scale with speed. That is why issues like GitHub runner compromise and accidental repository exposure tend to connect back to the same root cause: secrets handled casually.
You usually cannot know for certain. Check provider logs for unusual requests, new IP addresses, unexpected charges, or actions your team did not perform. But if a real credential was exposed in a public repository, the safest assumption is that it was collected quickly by automated scanners.
No. Deleting a file in a later commit does not remove it from Git history. You can rewrite history with tools such as git filter-repo or BFG Repo-Cleaner, but even then you should still revoke the leaked credential because you cannot guarantee nobody copied it earlier.
Safer than public repositories, yes. Safe enough for long-term secret storage, no. Private repos still expose secrets to anyone with repository access, and secrets can also leak through logs, forks, backups, screenshots, or compromised accounts.
Not always. Some providers support expiration, restricted scopes, or project-based keys, but many credentials remain valid until you revoke them. Check each provider's current key-management options rather than assuming expiration is automatic.
A secret is the sensitive value itself: an API key, password, token, or connection string. An environment variable is one way to supply that value to an application without hardcoding it in source code. The variable is the container; the secret is the thing being protected.
.env files help in development, but production secrets belong in platform-managed environment settings or a secrets manager.Old secrets are dangerous because they are easy to forget and often still valid. If you have ever committed a credential, the safest move is to assume it may still work until proven otherwise.
Today, pick one repository and scan it. If you find a live secret, revoke it immediately, replace it, and move it out of source control. If you want help building safer workflows around AI-assisted development, Elegant Software Solutions can help you put the right guardrails in place before a small mistake becomes a breach.
Discover more content: